Splunk Search

how to make parent child lookup for multiple levels of child with multiple type of child

shreyans
Path Finder

Hi,

I have parent child relation data in splunk (based on dbid field)
Example
1.Parent Event
<parent>
<dbid>10</dbid>
<compName>abc</compName>
</parent>

2.child event
<child>
<parentdbid>10</parentdbid>
<dbid>11</dbid>
<compName>pqr</compName>
</child>

Few information about events
--> above example is for one parent child relationship, my actual data is deep till 9 level (parent to child to child to child..... upto 9 level)
--> one parent have three kind of children (say network component might have two child called ports, fabric_interconnect, Chassis)

Note below tree which show parent child relationship (dbid4 and dbid4.1 are children of dbid3, dbid2 and dbid6 are children of dbid1, dbid7 dbid7.1 and dbid7.2 are children of dbid6) - each dbid below represent one actual event in splunk which has much more data

dbid1(Block) --> dbid2(Compute) --> dbid3(CPU Rack) --> dbid4(CPU) --> dbid5(Core)
-->dbid4.1(FAN)
--> dbid6(Network) --> dbid7(Chassis) --> dbid8(SubChassis)
-->dbid7.1(Port)
-->dbid7.2(NIC)

Question,
Given above data my requirement is to create parent child dbid lookup table like below

Block Compute CPU_Rack CPU Core FAN
dbid1 dbid2 dbid3 dbid4 dbid5
dbid1 dbid2 dbid3 dbid4.1

Seperate table for another loopup for second subchild of root element Block

Block Network Chassis SubChassis Port NIC
dbid1 dbid6 dbid7 dbid8
dbid1 dbid6 dbid7.1
dbid1 dbid6 dbid7.2

Offcourse above table should be in .csv format

So that i can fulfill the requirement of listing all FAN in my compute resource, Or find out all NIC and Ports which belongs to particular Network components

Any query\command or input is helpful to make required lookup table so that quering events can be easy

Thanks and Best Regards
- Shreyans Soni

Tags (3)
0 Karma

DalJeanis
Legend

If there's no further information in the layout, then there's no way to accurately give you what you want. With regard to the nodes, there is no way to distinguish between the Port and the NIC. Both have the same parent and no children.

What other information is present in the nodes?


So that the community can help you with this, I'm providing the following "run anywhere code" to create test data. It creates four layouts, a through d, that match your nodes.

| makeresults
| eval myfields="Block Compute CPURack CPU FAN Core Network Chassis Port NIC SubChassis"
| makemv myfields
| eval mydata="a10!a20!a30!a40!a41!a50!a60!a70!a71!a72!a80 b10!b20!b30!b40!b41!b50!b60!b70!b71!b72!b80 c10!c20!c30!c40!c41!c50!c60!c70!c71!c72!c80 d10!d20!d30!d40!d41!d50!d60!d70!d71!d72!d80"
| makemv mydata
| mvexpand mydata
| makemv delim="!" mydata
| eval compName=mvzip(myfields,mydata,"=")
| eval mylinks="10,7 9,6 8,6 7,6 6,0 5,3 4,2 3,2 2,1 1,0 0,0" | makemv mylinks | mvexpand mylinks
| makemv delim="," mylinks
| eval dbid=mvindex(mydata,tonumber(mvindex(mylinks,0)))
| eval parentdbid=mvindex(mydata,tonumber(mvindex(mylinks,1)))
| eval parentdbid=if(parentdbid=dbid,null(),parentdbid)
| eval compName=mvindex(compName,tonumber(mvindex(mylinks,0)))
| sort 0 dbid
| table dbid parentdbid compName

With different letters for each set of events, the output looks like this

dbid  parentdbid  compName
a10               Block=a10
a20      a10      Compute=a20
a30      a20      CPURack=a30
a40      a30      CPU=a40
a41      a30      FAN=a41
a50      a40      Core=a50
a60      a10      Network=a60
a70      a60      Chassis=a70
a71      a60      Port=a71
a72      a60      NIC=a72
a80      a70      SubChassis=a80
0 Karma

shreyans
Path Finder

text formatting of this site is showing different output than preview

please read two tables in question like below
dbid4.1 is below column FAN
dbid7.1 is below column Core (chassis, subchassis column are empty for this row)
dbid7.2 is below column NIC (chassis, subchassis column are empty for this row)

0 Karma

DalJeanis
Legend

Use the "code" button -- the one marked 101 010 -- to mark your code or table layouts so that the web interface doesn't smash them all together. I make out your tree to look like this.

1) Is this correct?

2) is this always the exact relationship of the nodes, or can there be other types of events mixed in as well?

dbid compname
1   Block
2   Compute
3   CPU Rack
4   CPU
4.1 FAN
5   Core
6   Network
7   Chassis
7.1 Port
7.2 NIC
8   SubChassis




1->(2,6)
    2-> 3
        3-> (4,4.1)
            4-> 5
    6->(7,7.1,7.2)
        7->8
0 Karma

kshbq
Engager

Any updates on the answers

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...